[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

On the Kaspersky Hack

When the news first broke that Kaspersky had found NSA’s hacking tools on the computer of a TAO employee working at home, I recalled that Kaspersky had revealed it had gotten hacked in June 2015, right around the time of this breach (and after Kaspersky released a series of reports on US, British, and Israeli spying). Last night, the NYT reported that Israel discovered NSA documents on Kaspersky’s systems while they were hacking the Russian antivirus company.

Israeli intelligence officers informed the N.S.A. that in the course of their Kaspersky hack, they uncovered evidence that Russian government hackers were using Kaspersky’s access to aggressively scan for American government classified programs, and pulling any findings back to Russian intelligence systems. They provided their N.S.A. counterparts with solid evidence of the Kremlin campaign in the form of screenshots and other documentation, according to the people briefed on the events.

The WaPo, matching NYT’s story, has yet another ridiculous explanation for why the TAO employee was working at home (though one that probably gets closer to the truth than the other three given thus far),

“There wasn’t any malice,” said one person familiar with the case, who, like others interviewed, spoke on the condition of anonymity to discuss an ongoing case. “It’s just that he was trying to complete the mission, and he needed the tools to do it.”

But the WaPo also reveals that the National Intelligence Council completed a report last month judging that FSB likely had access to Kaspersky’s source code.

Late last month, the National Intelligence Council completed a classified report that it shared with NATO allies concluding that the FSB had “probable access” to Kaspersky customer databases and source code. That access, it concluded, could help enable cyberattacks against U.S. government, commercial and industrial control networks.

Those scoops have drowned out this one from Cyberscoop, which explained that the reason the US first came to suspect Kaspersky is because the FSB told the US to stop snooping on the antivirus firm.

In the first half of 2015, Kaspersky was making aggressive sales pitches to numerous U.S. intelligence and law enforcement agencies, including the FBI and NSA, multiple U.S. officials told CyberScoop. The sales pitch caught officials’ attention inside the FBI’s Counterterrorism Division when Kaspersky representatives boasted they could leverage their product in order to facilitate the capture of targets tied to terrorism in the Middle East. While some were intrigued by the offer, other more technical members of the intelligence community took the pitch to mean that Kaspersky’s anti-virus software could effectively be used as a spying tool, according to current U.S. intelligence officials who received briefings on the matter.

The flirtation between the FBI and Kaspersky went far enough that the bureau began looking closely at the company and interviewing employees in what’s been described by a U.S. intelligence official as “due diligence” after Counterterrorism Division officials viewed Kaspersky’s offerings with interest.

The examination of Kaspersky was immediately noticed in Moscow. In the middle of July 2015, a group of CIA officials were called into a Moscow meeting with officials from the FSB, the successor to the KGB. The message, delivered as a diplomatic démarche, was clear: Do not interfere with Kaspersky.

These stories still are almost certainly revealing just a fraction of the story. All ignore Kaspersky’s reports laying out US and allies’ spying tools (explaining why Israel might hack Kaspersky and share the details, if not the work). And the most logical explanation for the FSB démarche is that Kaspersky — as they said at the time — reported the hack to their relevant law enforcement agency, which is the FSB, who in turn yelled at the CIA.

None of that is to minimize the intrusiveness of Kaspersky’s software. It’s just to remind that the US does this stuff too, and like Russia, requires compliance from US based software companies (though recent court decisions have required compliance on data for the entire globe).

Which is something the NYT admits, but doesn’t detail.

The N.S.A. bans its analysts from using Kaspersky antivirus at the agency, in large part because the agency has exploited antivirus software for its own foreign hacking operations and knows the same technique is used by its adversaries.

Finally, one other thing that could be going on here: all these entities do piggyback hacks on each other, and in fact it’s the first thing most of their tools do when they breach targeted systems — look who else is already there so you can see what they’re stealing and usually take your own copy.

Which means it’s possible that Russia found the NSA files by piggybacking on Israel. Or vice versa. Or, it could be nothing more complex than FSB taking the files it found while it responded to the Kaspersky hack and using them themselves.

None of this yet explains where the Shadow Brokers’ tools came from (though I think the method may be similar). But I’ll return to that later this week.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

37 replies
  1. lefty665 says:

    Anti virus software is intrusive, but it is an intrusion we have decided to allow and to trust. With what we now know about Kaspersky, there is no reason to think that ALL anti virus has not been exploited by national technical means, especially, NSA, the Israelis, the Russians, and probably more like the Brits and Germans.

    The question also remains why the NSA TAO employee is not being prosecuted for violating 793 (f). Taking highly classified software out of its secure environment to his home where it was lost is the epitome of what that section of the law was enacted to punish and dissuade. Intent is not a defense.

     

    • SpaceLifeForm says:

      Maybe because it is a cover story? And what really happened is not the story being reported?

      I really believe Tor was and probably still is involved in this ongoing story.

      Spy vs Spy. Hacking back.

  2. bloopie2 says:

    Apparently U.S.-based cyber firm Symantec is no longer allowing governments to review the source code of its software because of fears that would compromise the security of its products.  I know that’s been reported before, but is it unusual?  Also, your post notes that “FSB likely had access to Kaspersky’s source code”.  Symantec apparently doesn’t do that even for US agencies.  Or is all this irrelevant because nations can hack such software anyway?
     https://www.cnbc.com/2017/10/10/symantec-ceo-says-source-code-reviews-pose-unacceptable-risk.html
     

    • lefty665 says:

      Interesting link, thanks for providing it. The implication is that Symantec allowed the Russians, and apparently other foreign governments, to examine source code until last year. The focus of the article was foreign markets, I don’t believe there was anything that declared Symantec did not allow NSA access to its source code. Source code access sure makes exploits easier. More surprising was that HP’s Enterprise division allowed the Russians, and maybe others, to review source code for cyber defense software used by the Pentagon. But then DoD still seems to be allowing thumb drives in computers accessing classified information. Cyber security is not a US strong suit.

    • SpaceLifeForm says:

      TLAs do not need the source code. They have the resources to reverse engineer it. In fact, that is more trustable than reviewing source code, because on any given day, a given binary may no longer match the source code that was/is available for review.

      • lefty665 says:

        Reverse engineering is easier when you’ve got the source code to start from.  When the source changes so that you no longer have access, reverse engineering the changes is how you get back in, but having the source code to start with makes the job a lot easier.

        • SpaceLifeForm says:

          Damn Straight. Having any source code even if off a bit definitely helps.

          Reminds me of a Reverse Engineering project i did over 2 decades ago. I found a problem, it was not a security issue (code ran as root, but no exploitable API), it was a performance problem. And this code needed to run as fast as possible.

          After doing the reverse-engineering (I.E., I created source code from the binary, compiled my source code, and made sure my binary code matched the released binary from the vendor), I reported the issues to the vendor.

          I also discovered that their source code had an unused local variabe (an INT,, 16 bit). But that was not the performance issue.

          The performance issue was an heavy overhead kernel call that was unneeded.

          I provided my original reverse-engineered source code and my ‘fixed’ source code which working perfectly without the performance overhead.

          A few days later, a tech from vendor showed up.

          We were a beta site for this new software.

          The vendor was convinced in their minds that they must have accidently given us the source code.

          I said, no, I just reversed-engineered it, here is the media you provided (9-track), and there is no source code on it.

          The vendor was all good and later they actually put my performance fix into their production code.

          • lefty665 says:

            Decompilers are nice tools. The ones I had took doing global replaces on the labels to make them intelligible in the decompiled source, at least for me anyway. Funny mix isn’t it? Sometimes you learn something, as in “Pretty neat trick guys”. Other times it is “Sheeit, I can do that better, what were y’all thinking?”  Hope they at least gave you credit in the comments:)  Bit twiddling and tweaking for performance was earnest stuff back in the days before everything had cubic memory and horsepower.

            • SpaceLifeForm says:

              No decompilers back then. This was by brain and keyboard starting with opcodes and knowing how the compiler worked.

              Figuring out the data being used.

              Very tedious. I was fortunate that it was not thousands of lines of source code.

              A CASE statement caused a bunch of headache for some time until I figured out what the compiler was doing with CASE statements.

              Still took days.

              • lefty665 says:

                Wow! Nice work, and hard. If, then, else certainly allows for variations in branching logic handling. I was lucky enough to be working with a language that compiled to a numeric object code (octal – like Tom Leherer’s New Math routine) and interpeted to the OS from there. Made it easy to move between OS’s. That made a decompiler easier too. But, it decompiled inline. First step was to identify the code repeats and pull them out into called sub routines. Still nowhere near as tedious as what you were doing. But I guess thinking in numbers gets easier with practice, and assembler (as far down as I ever dug) is just mnemonics for opcodes.

    • SpaceLifeForm says:

      True. Unless what is of extreme value *must* be “on” the internet in order to have any value.

      The case you are thinking of is what most people worry about. Ex: Equifax. Or Yahoo, etc, etc.

      Your PII (Personally Identifying Information) is what an individual does not want exfiltrated.

      But another side is TLA hacking tools.

      Excepting a Stuxnet type of attack (USB key attack), most intel gathering (an attack), requires that at some point, the tools will be on the internet somewhere.

      Otherwise, they have no value because they are functionally dead.

      But, because they are on the internet and are deployed, they can be discovered (and reverse engineered).

      This is likely what led to SB and Vault7.

    • lefty665 says:

      SLF is right, plus it is not so long ago we lost secure air gapped machines/networks due to our inability to maintain discipline and keep our guys from moving compromised usb sticks between secure and insecure (web enabled) systems. Segregation from the internet does not prevent stupid.

  3. Mike Eckel says:

    the CyberScoop story is troubling because Kaspersky’s “roof” in Moscow was the FSB cybercrime division (the one that is now in deep high treason shit). And that division cooperated with the FBI and USSS for many years. So why would the FSB be complaining to the CIA instead? That suggests rival camps within the FSB. Or CyberScoop’s sources don’t understand the nuances of Russian intelligence.

    • SpaceLifeForm says:

      Or, FSB *thought* it was CIA when it may have been a different TLA.

      Or, FSB knew it was *not* CIA but it was a misdirection ploy.

      Such are the issues of attribution.

      Throw in Tor and malware/spyware signatures.

      Easy to be misdirected, especially if you are a
      US Congresscritter that does not get the tech.

  4. SpaceLifeForm says:

    A WAPO headline that should be edited.

    The word ‘foreign’ should be removed.
    As written, it implies that US TLAs are just totally pure as snow and only non-US TLAs are the bad guys. (I’m sure you have seen this movie before)

    The headline:

    The Daily 202: Foreign intelligence agencies might be using your anti-virus software against you

    https://www.washingtonpost.com/news/powerpost/paloma/daily-202/2017/10/11/daily-202-foreign-intelligence-agencies-might-be-using-your-anti-virus-software-against-you/59dd6e5a30fb0468cea81e60/

    [All TLAs reverse engineer antivir binaries. It is a basic step so they can deploy their spyware without being caught by the antivir. The malware/spyware either has to bypass the antivir or has to obfuscate itself so well that the antivir does not catch the attack. Reverse-engineering the antivir is important for either of the bypass/hide methods]

    [The point: The headline is crap. Do not think for a minute that US TLAs do not reverse-engineer *ALL* of the various antivir suites]

  5. SpaceLifeForm says:

    What you may think is offtopic, but unfortunately it is not. Microsoft may be being complicit in attacks but is trying to avoid the issue. This is a phishing attack using emails that allegedly come from SEC.

    http://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html/

    The emails themselves contained a malicious attachment that when opened would initiate a sophisticated multi-stage infection process leading to infection with DNSMessenger malware. The malicious attachments were Microsoft Word documents. Rather than leveraging macros or OLE objects, which are some of the most common ways that Microsoft Word documents are leveraged to execute code, these attachments leveraged Dynamic Data Exchange (DDE) to perform code execution. A description of this technique has been published here
    [https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/]. This technique has recently been publicized following a Microsoft decision that this functionality is a feature by design and will not be removed. We are now seeing it actively being used by attackers in the wild, as demonstrated in this attack.

  6. SpaceLifeForm says:

    WSJ reups. Why? Money.

    https://arstechnica.com/information-technology/2017/10/kaspersky-reportedly-modified-its-av-to-help-russia-steal-nsa-secrets/

    [BS. There is a tell that says that is *NOT* the case]

    The WSJ went on to report that US intelligence agencies spent months studying and experimenting with Kaspersky software to see if they could trigger it into behaving as if it had discovered classified materials on a computer being monitored by US spies. “Those experiments persuaded officials that Kaspersky was being used to detect classified information,” Wednesday’s report said.

    [“Experimenting”, “behaving”, “as if”]

    [TLAs feeding fakenews. They are blowing their cover story]

    [This is all BS for 702 renewal]

  7. jo6pac says:

    My way of thinking is israel is still mad that Kaspersky group were smart enough to figure out israel/Amerika was the creators of the mare-ware that they spread in Iran. Other that there’s no there, there.

    All thing Russian evil and all thing Amerikan/israel good;-)

  8. SpaceLifeForm says:

    OT: T-Mobile, how could you be this dumb? This is basic stuff.

    https://motherboard.vice.com/en_us/article/wjx3e4/t-mobile-website-allowed-hackers-to-access-your-account-data-with-just-your-phone-number

    T-Mobile customers were already breach victims as the result of the hacking of credit reporting agency Experian. As Reuters reported October 1, data on 15 million people who applied for T-Mobile accounts or to purchase new devices through the company over the last two years were exposed as part of the Experian breach.

  9. SpaceLifeForm says:

    SWIFT still being attacked.

    http://www.reuters.com/article/cyber-heist/swift-says-hackers-still-targeting-bank-messaging-system-idINKBN1CI1ED

    [Maybe because they still trust RSA?]

    The backstory:

    http://www.reuters.com/article/cyber-heist/swift-says-hackers-still-targeting-bank-messaging-system-idINKBN1CI1ED

    http://www.tasgroup.eu/solutions/payment-networks/service-bureau

    The Electronic Banking Internet Communication Standard (EBICS) in standard HTTP with TLS encryption (HTTPS) over the internet

      • SpaceLifeForm says:

        It all ties together. When the antivir is attacked, then malware can be loaded, and data exfiltrated.

        https://safebreach.com/Post/Adventures-of-AV-and-the-Leaky-Sandbox

        This year’s research was based on an interesting premise – in a highly secure enterprise where endpoints have no direct Internet connection, could sensitive data still be exfiltrated? Our researchers demonstrated that in fact, under the right conditions, they could exfiltrate data by taking advantage of architecture flaws in some cloud-enhanced anti-virus products.

        Our technique exfiltrates data inside an executable file which is created on the endpoint (by the main malware process). This executable then triggers anti-virus detection whereupon the AV agent uploads the file to the anti-virus cloud for further inspection. The anti-virus server executes this file in a sandbox, which then allows the executable to send the sensitive data to the attacker’s command and control server.

        [The malware creates a program that has info to exfiltrate (credentials most likely), attempts to run the program, the antivir detects as bad, uploads to cloud, cloud runs in sandbox, and the code sends out the critical data (the credentials) to a C2 server before the cloud sandbox can figure out what happened.

        It is a double exfiltration.

        The antivir exfiltrates to cloud server in order to analyze the “Malware”.

        The cloud server exfiltrates the payload (the credentials) to a C2 (Command and Control) server somewhere on the internet.

        The Antivir was *used* as a middleman.

      • SpaceLifeForm says:

        Notes:

        “where endpoints have no direct Internet connection”

        Means that everyone has to use a proxy server on their intranet in order to access the internet at large. Internally, IT is forcing everyone to use a proxy to access the internet. Very standard procedure.

        But the Antivir is allowed to reach the internet because cloud, and how antivir wants to analyze new attacks.

        The Antivir is allowed to ‘call home’ (send to cloud).

        The Antivir may have actually done its job, preventing the execution of the program.

        It is the second part where the actual damage is done.

        It is very stealth.

        Interesting. The WannaCry killswitch does not work if proxy is being enforced.

        • bmaz says:

          Yes yes, it is all about the “Antivir”.

          Were you into Thermite “pulling” WTC building 7 too?

          You copiously and relentlessly occupy our comment threads with jingoistic tech babble like you are a resident. You are not. Over half the comments to this post are blabber from you.

          Explain your commentary instead of just treating this like your own little playground to hear yourself talk. Or find somewhere else.

        • greengiant says:

          Gotta wonder if some of the different XP based US voting machines/servers, although theoretically air gapped, were the target of different 2017 viruses and whether USB drives have ever been enhanced with blue tooth capability/vulnerabilities as part of the attack vector.  Cause historically 21st century the machines were hacked by manually putting in the “fixed” thumb drive equivalents.  Also note the white/black hat virus strategy to release to clean up malware or  clean up TLA hacks.  To loop back to topic,  EW tweets asking how the Stoyanov prosecution is rolling.

  10. SpaceLifeForm says:

    More Interpol

    http:/.www.reuters.com/article/amp/idUSKBN1CF26O

    “Balkanisation, especially in the cyber security community – that is happening and that needs to be corrected,” said Noboru Nakatani, executive director of Interpol’s Global Complex for Innovation.

    “The reality is criminals, they are working together by sharing information by helping each other to make money,” he said at a cyber crime conference in Moscow. “Do you think the governments or the good people are doing the same?”

Comments are closed.